WordPress Plugin Flaw Lets Subscribers Gain Admin Privileges

CVE Notify has flagged a critical Insecure Direct Object Reference (IDOR) vulnerability lurking in the MStore API plugin for WordPress, affecting all versions up to and including 4.18.3. The core issue lies within the update_user_profile() function found in controllers/flutter-user.php. This function processes a meta_data JSON parameter directly from the request body without any checks on the keys being submitted. While it does authenticate users via cookies, it then iterates over the provided meta_data array and passes arbitrary keys and values directly to the update_user_meta() function. This lack of sanitization or restriction opens the door for authenticated attackers, even those with a basic Subscriber role, to modify their own user meta fields.

The implications are significant. Attackers can exploit this to elevate their privileges by manipulating fields like wp_user_level, which legacy WordPress checks might interpret as an administrator. They can also target plugin-specific authorization flags, such as _wpuf_user_active or aiowps_account_status, potentially activating or deactivating user accounts as needed. Furthermore, billing and profile fields can be modified with unsanitized values, creating a risk of Stored Cross-Site Scripting (XSS) attacks, particularly in administrative contexts. While directly altering wp_capabilities is blocked by its need for a serialized array, the simpler wp_user_level integer and many other plugin-specific meta keys remain prime targets for exploitation.